Ajit Gaddam: TechNews and Security

As I blogged earlier, Akismet has passed a huge milestone today. It has crossed 1 Billion Comment Spam blocked a few hours ago.

Besides me, a lot of people have been guessing on when this milestone would be reached and as guessed, it was reached over the weekend. As outlined in the picture below, two stats stand out below the chart. One is Total Spam blocked which at the point of this screenshot stood at 1,024,961,562 and the other stat is Total Ham which stood at 54,169,936. What this statistic reveals is that an alarming 95% of all the comments and trackbacks to blogs such as this one are spam. So with a Billion spams blocked, there are just 54 million genuine comments (genuine comments or total ham are those which are not identified by Akismet as spam)

The only sure way right now to avoid spam is to not allow any form of commenting or connection to your blog from any other site on the internet. Which would defeat one of the primary benefits of a blog: connecting with other people.

I wouldn’t do that. So I rely on Akismet as the first line of spam defence and it does a very good job.

You can’t stand spam. I can’t stand spam. Fortunately for us and most of the people using WordPress, Akismet is the perfect plugin dealing with comment spam. Akismet is the brainchild of Matt Mullenweg of WordPress and his merry band of Automattic hackers. Their favorite definition of kismet is “Kismet (principle), the magnetic attractive force that actualizes the playing out of karma; often used in the positive sense.”

Automattic Kismet (Akismet for short) is a collaborative effort to make comment and trackback spam a non-issue and restore innocence to blogging, so you never have to worry about spam again.

The Graph below is a graph of Ham and Spam since Akismet started. “Ham” is the non-spam message in Akismet lingo

My Guess: We will hit the 1 Billion Spam comment sometime on Sunday(03/24). I will post a follow up post once we reach the 1 Billion mark.

Related Links:

1. Download Akismet plugin for WordPress and other Blogs

Looking for something fun to do this summer? All college and university students around the world are invited to apply to get paid $4,500 USD to work on your favorite open source project this summer.  This Blog is powered by WordPress and looks like it is only about to get even better.  WordPress is among the 131 accepted to Google Summer of Code, of more than 300 projects that applied.

It seems that WordPress has eight committed volunteers who are enthusiastic to mentor, learn, and make WordPress a little better in the process.

Check out their ideas for projects, or propose your own. You must apply by March 24.

Good luck!

The White House released (at 9 AM Tuesday, March 20) a directive to all Federal CIOs, requiring that all new IT system acquisitions, beginning June 30, 2007, use a common secure configuration and, even more importantly, requiring information technology providers (integrators and software vendors) to certify that the products they deliver operate effectively using these secure configurations.

This initiative builds on the pioneering “comply or don’t connect” program of the US Air Force; it applies to both XP and Vista, and comes just in time to impact application developers building applications for Windows Vista, but impacts XP applications as well.  No VISTA application will be able to be sold to federal agencies if the application does not run on the secure version (SSLF) of Vista.  XP application vendors will also be required to certify that their applications run on the secure configuration of Windows XP.

The benefits of this move are enormous: common, secure configurations can help slow bot-net spreading, can radically reduce delays in patching, can stop many attacks directly, and organizations that have made the move report that it actually saves money rather than costs money.

The initiative leverages the $65 billion in federal IT spending to make systems safer for every user inside government but will quickly be adopted by organizations outside government. It makes security patching much more effective and IT user support much less expensive. It reflects heroic leadership in starting to fight back against cyber crime. Clay Johnson and Karen Evans in the White House both deserve kudos from everyone who cares about improving cyber security now.

Courtesy [SANS Flash News. SANS hasn't issued a FLASH announcement in more than two years]

This article is part # 4 in this series of penetration and security testing of a corporate network. Previously I talked about some dirty tactics which penetration testers might have to use. I also started this series by talking in general about Penetration and security testing and also some important computer security keywords and terminologies.

In this article, I will introduce you to some well known tools which security analysts use, to know more about the layout of the network they are trying to test and also gather intelligence about that company,  which we will use later on to conduct further tests and poke it for its weak points. The more information we can obtain, the more we can advice our client company of any potential problem areas. This whole process is called footprinting.

Footprinting Definition from Wikipedia)

Footprinting is the technique of gathering information about computer systems and the entities they belong to. This is done by employing various computer security techniques, as Ping Sweeps, TCP Scans, UDP Scans, OS Identification, Network Enumeration, Registrar Queries, Organizational Queries, Domain Queries, Network Queries, POC Queries and DNS Interrogation

When used in the computer security lexicon, “footprinting” generally refers to one of the pre-attack phases; tasks performed prior to doing the actual attack. Some of the tools used for footprinting are samspade, nslookup, traceroute and neotrace.

I will not be revealing what kind of Business my client does, but a lot of corporations out there perform most of their business online, through the web. Each of these companies would have a web site which should be the first place we use to gather intelligence about the company.

==================TOOL # 1: PAROS (http://www.parosproxy.org)

Paros is a Java based HTTP/HTTPS proxy for assessing web application vulnerability. It supports editing/viewing HTTP messages on-the-fly. Other featuers include spiders, client certificate, proxy-chaining, intelligent scanning for XSS and SQL injections etc.

Paros requires that you have Java J2SE installed which you can download from Sun here. Paros is also available in both Unix and Windows platforms. You can download Parox Proxy here.

1. After you download Paros, you need to configure your browser’s Internet options. Set your HTTP proxy and Secure proxy addresses to “localhost” with port “8080″ as shown below

2. Launch Paros. In this example, we will use mit.edu as our target Internet location. Type in http://www.mit.edu. If you go back to Paros, you will see a screen that looks something like this

Read the rest of this entry »

I was writing an article on how to use HTTP to view web banner information. My first choice was to use the big G, Google.com. However, when I used the command nc google.com 80 and used OPTIONS / HTTP/1.1, Google generated this error message.

It is also interesting to observe how Google generates its logo using the color codes.

Read the rest of this entry »

Okay, this email is rather funny. A spammer who knows his spam email might be blocked informs me that since this particular email has passed through my spam filters, I now have an opportunity to know about his great services and products. Apparantly the spammer focuses on customer service and support too …

If you are one of those poeple using a Digital camera to capture pictures, when you import your pictures to your computer, chances are that you have a wierd naming scheme such as DSC001021 something etc. Using this tip, you would be able to rename many pictures all at once.

1. Open the folder where you have saved your pictures. Select the batch of pictures you wish to rename. You can select multiple pictures by pressing <Ctrl> key plus the picture. Do not let go of the <Ctrl> key when you select a different picture.
2. Right-click the first picture selected and then click Rename.
3. Rename the first picture to whatever you like (for example, Vint Cerf Google Speaker Series), then click any empty space within the window to deselect the pictures.

Your pictures automatically rename themselves (“Vint Cerf Google Speaker Series (1),” “Vint Cerf Google Speaker Series (2),” etc.). This tip also works to rename any collection of files.

Xbox Live has recently hit 6 million users and on this occasion, Microsoft has released some stats. Following is the full press release from Microsoft letting us know of the various stats and numbers

Xbox 360 | Momentum Fact Sheet

• More than 10 million Xbox 360s have hit store shelves since launch in November 2005, and more than 160 high definition games are now available, including Viva Piñata, Gears of War and Crackdown.

• Xbox 360 is available in 37 countries.

• The overall software attach rate for Xbox 360 is 4.6 titles per console in the United States with a record-breaking accessory attach rate of 2.9 units per console.

Xbox LIVE Connectivity & Usage:

• More than 6 million people are now members of Xbox LIVE.

• Following the launch of the Xbox LIVE online gaming network in November 2002, gamers have spent over 2.3 billion hours on the network playing games online with their friends around the world. This is equal to 95 million days of gaming or over 260,000 years. With our top title, Halo 2, which is being played on both the Xbox and Xbox 360, gamers have spent over 710 million hours playing online with over a half a billion games played.

• In fact, online gaming through Xbox LIVE is now a proven form of mainstream entertainment. The 18-34 male audience is comparable in size to the same audience tuning in to see the most popular network TV shows like CSI or The Office.

• Xbox LIVE on Xbox 360 continues to grow as a social community; we are seeing an average of over 2,000,000 text and voice messages sent every day between members on the service.

• The average Xbox LIVE Gold subscriber has 22 friends on their Xbox LIVE friends list.

• To date, Xbox 360 owners have unlocked nearly 300 million Achievements. All of those unlocked Achievements have created a total combined Gamerscore of nearly 7.5 billion.

• Top WW Xbox LIVE Titles on Xbox 360 to date:

1 Halo 2
2 Gears of War
3 Hexic HD
4 Call of Duty 2
5 Ghost Recon 3
6 Call Of Duty 3
7 Oblivion
8 PGR3
9 Tom Clancy’s Rainbow Six® Vegas
10 Perfect Dark Zero

(Based on the number of unique users)

Xbox LIVE Marketplace:

• Consumers have quickly jumped to the Xbox LIVE Marketplace as their one-stop download center. More than 70 percent Xbox LIVE members are downloading content from Marketplace, driving more than 135 million downloads since the launch of Xbox 360.

• Xbox LIVE Marketplace is home to more than 7,000 pieces of individual gaming and entertainment content, downloadable at the click of a button.

• Gamers have also quickly adopted the new Microsoft Points stored value system, with more than 5 Billion points activated on Marketplace to date.

• Online entertainment through Xbox LIVE is not just limited to games. Xbox 360 is the only console offering movie and TV downloads, and the new Xbox LIVE Video Marketplace (available in the US only) is packed with HD content from top partners such as Paramount, MTV Networks and CBS. As a result, nearly 50% of Xbox LIVE members in the U.S. log into Xbox LIVE Marketplace every time they turn on their console.

Xbox LIVE Arcade:

• Xbox LIVE Arcade has been an instant hit on the Xbox 360, with nearly 70% of all connected consoles already downloading and playing Xbox LIVE Arcade titles.

• Xbox LIVE Arcade has now surpassed 25 million downloads from its diverse library of original development and classic titles from the world’s best independent and established developers and publishers.

• Top worldwide Xbox LIVE Arcade titles on Xbox 360 to date (based on total number of full game downloads):
1. Street Fighter II’ Hyper Fighting
2. Bankshot Billiards 2
3. Marble Blast
4. UNO
5. DOOM

Beginning in 2007, daylight saving time (DST) will be extended in the United States. DST will start on March 11, 2007, which is three weeks earlier than usual, and it will end on November 4, 2007, which is one week later than usual. This results in a new DST period that is four weeks longer than in previous years.

Unless certain updates are applied to your computer, the time zone settings for your computer’s system clock may be incorrect during this four-week period. In particular, you must make sure that both your Windows operating system and your calendar programs are updated.

Microsoft has provided a nice tool which lets you verify if your computer is upto date with Daylight savings time implemented. You need not worry if you have Windows Vista Operating System or if you have Automatic Updates turned on.

To determine which operating system you have, follow these steps for any operating system other than Windows Vista:

1. Click Start, and then click Run.
2. In the Open box, type sysdm.cpl, and then click OK.
3. Click the General tab. The name of the current version of your Windows software is displayed on this tab.

To verify if you computer has been updated with the correct daylight savings time beginning March 11, follow this link from Microsoft

Microsoft Daylight Savings Time